ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-02-06 05:23:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: implement security audit fixes - rate limiting and SSRF protection (Issue #265 PR #2)

Browse Source 
This commit implements HIGH-02 (Rate Limiting) and HIGH-03 (SSRF Protection)
from the security audit, protecting against brute force attacks and
Server-Side Request Forgery.

Security Enhancements:
- Rate limiting: 20 attempts per 15 minutes per IP (configurable)
- SSRF protection: Three security modes (strict/moderate/permissive)
- DNS rebinding prevention
- Cloud metadata blocking in all modes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-10-06 15:40:07 +02:00
parent 9a00a99011
commit 06cbb40213
15 changed files with 1041 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/services/n8n-api-client.ts
View File

@@ -212,7 +212,16 @@ export class N8nApiClient {
async triggerWebhook(request: WebhookRequest): Promise<any> {
try {
const { webhookUrl, httpMethod, data, headers, waitForResponse = true } = request;
// SECURITY: Validate URL for SSRF protection (includes DNS resolution)
// See: https://github.com/czlonkowski/n8n-mcp/issues/265 (HIGH-03)
const { SSRFProtection } = await import('../utils/ssrf-protection');
const validation = await SSRFProtection.validateWebhookUrl(webhookUrl);
if (!validation.valid) {
throw new Error(`SSRF protection: ${validation.reason}`);
}
// Extract path from webhook URL
const url = new URL(webhookUrl);
const webhookPath = url.pathname;